我一直在尝试protostar stack0挑战,想知道如果没有源代码,如何找出缓冲区大小。
原始站点(http://exploit-exercises.com/protostar)不再可用,但是您仍然可以从https://download.vulnhub.com/exploitexercises/exploit-exercises-protostar-2.iso下载ISO副本
这是汇编代码
(gdb) disassemble main
Dump of assembler code for function main:
0x080483f4 <main+0>: push ebp
0x080483f5 <main+1>: mov ebp,esp
0x080483f7 <main+3>: and esp,0xfffffff0
0x080483fa <main+6>: sub esp,0x60
0x080483fd <main+9>: mov DWORD PTR [esp+0x5c],0x0
0x08048405 <main+17>: lea eax,[esp+0x1c]
0x08048409 <main+21>: mov DWORD PTR [esp],eax
0x0804840c <main+24>: call 0x804830c <gets@plt>
0x08048411 <main+29>: mov eax,DWORD PTR [esp+0x5c]
0x08048415 <main+33>: test eax,eax
0x08048417 <main+35>: je 0x8048427 <main+51>
0x08048419 <main+37>: mov DWORD PTR [esp],0x8048500
0x08048420 <main+44>: call 0x804832c <puts@plt>
0x08048425 <main+49>: jmp 0x8048433 <main+63>
0x08048427 <main+51>: mov DWORD PTR [esp],0x8048529
0x0804842e <main+58>: call 0x804832c <puts@plt>
0x08048433 <main+63>: leave
0x08048434 <main+64>: ret
End of assembler dump.
(gdb)
基于代码,我可以看到gets
函数(从stdin中读取一行)。
0x0804840c <main+24>: call 0x804830c <gets@plt>
0x08048411 <main+29>: mov eax,DWORD PTR [esp+0x5c]
因此,我在该行之前和之后都设置了断点,以查看其功能。
(gdb) info breakpoints
No breakpoints or watchpoints.
(gdb) break *0x0804840c
Breakpoint 3 at 0x804840c: file stack0/stack0.c, line 11.
(gdb) break *0x08048411
Breakpoint 4 at 0x8048411: file stack0/stack0.c, line 13.
(gdb)
是时候使用随机数据测试gets
函数了。
user@protostar:~$ python -c 'print "A"*60'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
user@protostar:~$
在第一种情况下,我将提供60 *一个字符。我使用上面的python代码生成60个A字符。
(gdb) r
Starting program: /opt/protostar/bin/stack0
Breakpoint 3, 0x0804840c in main (argc=1, argv=0xbffff864) at stack0/stack0.c:11
11 in stack0/stack0.c
(gdb) c
Continuing.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Breakpoint 4, main (argc=1, argv=0xbffff864) at stack0/stack0.c:13
13 in stack0/stack0.c
(gdb) i r $eip $esp $ebp
eip 0x8048411 0x8048411 <main+29>
esp 0xbffff750 0xbffff750
ebp 0xbffff7b8 0xbffff7b8
(gdb) x/40 $esp
0xbffff750: 0xbffff76c 0x00000001 0xb7fff8f8 0xb7f0186e
0xbffff760: 0xb7fd7ff4 0xb7ec6165 0xbffff778 0x41414141
0xbffff770: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff780: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff790: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff7a0: 0x41414141 0x41414141 0x08048400 0x00000000
0xbffff7b0: 0x08048450 0x00000000 0xbffff838 0xb7eadc76
0xbffff7c0: 0x00000001 0xbffff864 0xbffff86c 0xb7fe1848
0xbffff7d0: 0xbffff820 0xffffffff 0xb7ffeff4 0x0804824b
0xbffff7e0: 0x00000001 0xbffff820 0xb7ff0626 0xb7fffab0
(gdb) c
Continuing.
Try again?
Program exited with code 013.
(gdb)
我知道如果看到源代码,如果我输入超过64 A的电流,我就会得到答案。
(gdb) r
Starting program: /opt/protostar/bin/stack0
Breakpoint 3, 0x0804840c in main (argc=1, argv=0xbffff864) at stack0/stack0.c:11
11 in stack0/stack0.c
(gdb) c
Continuing.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Breakpoint 4, main (argc=1, argv=0xbffff864) at stack0/stack0.c:13
13 in stack0/stack0.c
(gdb) i r $eip $esp $ebp
eip 0x8048411 0x8048411 <main+29>
esp 0xbffff750 0xbffff750
ebp 0xbffff7b8 0xbffff7b8
(gdb) x/40 $esp
0xbffff750: 0xbffff76c 0x00000001 0xb7fff8f8 0xb7f0186e
0xbffff760: 0xb7fd7ff4 0xb7ec6165 0xbffff778 0x41414141
0xbffff770: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff780: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff790: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff7a0: 0x41414141 0x41414141 0x41414141 0x00000041
0xbffff7b0: 0x08048450 0x00000000 0xbffff838 0xb7eadc76
0xbffff7c0: 0x00000001 0xbffff864 0xbffff86c 0xb7fe1848
0xbffff7d0: 0xbffff820 0xffffffff 0xb7ffeff4 0x0804824b
0xbffff7e0: 0x00000001 0xbffff820 0xb7ff0626 0xb7fffab0
(gdb) c
Continuing.
you have changed the 'modified' variable
Program exited with code 051.
(gdb)
问题是,如果我没有源代码怎么办?
如何找出确切的缓冲区大小?
答案 0 :(得分:0)
我是RE的新手,但我会尽力回答
0x080483fd <main+9>: mov DWORD PTR [esp+0x5c],0x0
0x08048405 <main+17>: lea eax,[esp+0x1c]
在main + 9上,它在[esp + 0x5c]上存储0x0,并且任何输入将从[esp + 0x1c]到[esp + 0x5c]都存储在缓冲区中。所以0x5c-0x1c = 64(十进制)